Create encrypted loopback filesystems on Linux

One nice feature about Mac OS X that is widely advertised is the fact that you can create encrypted disk images very easily. These disk images can be used to store documents and files, and can be mounted and unmounted on demand. In fact, the FileVault feature of OS X allows the entire home directory to be so encrypted and mounted that in the event that a laptop is stolen, the contents of the user's home directory is completely unavailable.

The same can be done in Linux. Using the loopback filesystem interface, you can create encrypted filesystems very easily. These filesystems are great for storing sensitive documents be it SSH or GnuPG keys, financial documents, etc.

To begin, you'll need to load the aes and cryptoloop modules in the kernel if they are not already available. This can be done by executing:

# modprobe cryptoloop

# modprobe aes

Most modern Linux distributions provide these modules from the get-go, so you shouldn't have to recompile the kernel. Once this is done, create the filesystem container, associate it to a loopback device interface, and format it:

# dd if=/dev/urandom of=enc.img bs=1M count=50

# losetup -e aes /dev/loop0 enc.img

Password:

# mkfs -t ext2 /dev/loop0

# mount /dev/loop0

# mount -o loop,encryption=aes enc.img /media/disk

The first step creates an empty image file called enc.img with a size of 50 MB; you can increase this by changing the count value. Next, use losetup to associate the enc.img file to the /dev/loop0 device and tell it that the device is to be encrypted with AES encryption. This command uses 128-bit AES encryption; look at the losetup manpage to see what other encryption types you can use. You will have to provide a password that will be used from that point forward to access the image.

Next, the filesystem is formatted with the ext2 filesystem. Finally, it is mounted to /media/disk. The options passed to mount tell it to use the loopback interface and the encryption type needed. When you call mount, you will have to provide the password you used to encrypt the image.

Putting this kind of image in /etc/fstab will not work unless you want to be prompted for your password on each boot. Instead, this should be accessed as needed. For instance, you could store the file as ~/.enc.img so it's hidden from normal view, with mode 0600 permissions. Wrapper scripts could be written to mount and umount the image easily: